Detections
Analytics
2.6 Ensure user consent to apps accessing company data on their behalf is not allowed
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
By default, users can consent to applications accessing your organization's data, although only for some permissions. For example, by default a user can consent to allow an app to access their own mailbox or the Teams conversations for a team the user owns, but cannot consent to allow an app unattended access to read and write to all SharePoint sites in your organization.Do not allow users to grant consent to apps accessing company data on their behalf.
Rationale:
Attackers commonly use custom applications to trick users into granting them access to company data.
While allowing users to consent by themselves does allow users to easily acquire useful applications that integrate with Microsoft 365, Azure and other services, it can represent a risk if not used and monitored carefully.
Disable future user consent operations to help reduce your threat-surface and mitigate this risk. If user consent is disabled, previous consent grants will still be honored but all future consent operations must be performed by an administrator.
Impact:
If user consent is disabled, previous consent grants will still be honored but all future consent operations must be performed by an administrator. Tenant-wide admin consent can be requested by users through an integrated administrator consent request workflow or through organizational support processes.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To prohibit user consent to apps accessing company data on their behalf, use the Microsoft 365 Admin Center:Select Admin Centers and Azure Active Directory.
Select Enterprise applications from the Azure navigation pane.
Under Security select Consent and permissions.
Under User consent for applications select Do not allow user consent.
Click the Save option at the top of the window.
To prohibit user consent to apps accessing company data on their behalf, use the Microsoft Online PowerShell Module:
Connect to Microsoft Online service using Connect-MSOLService.
Run the following Microsoft Online PowerShell command:
Set-MsolCompanySettings -UsersPermissionToUserConsentToAppEnabled $False
Default Value:
UI - Yes PowerShell - True
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L2 v1.4.0
References: CSCv7|14.6
Plugin: microsoft_azure
Control ID: e2109f5e8efca6d8bb8f1255e6309be7c8bb6a9706cb04b38afb7389cbaee9d9